Security News: Bluetooth Bug Triggers Patch Frenzy, as Ransomware Attack Hits Global Shipper

A scary Bluetooth bug. A crippling ransomware attack. A cyber threat to the U.S. electrical grid. A data leak of trade secrets from major car makers such as Tesla and GM. These were some of the security industry news that caught our eye last week.

Bluetooth vulnerability rattles vendors, end users

The disclosure of a major flaw in Bluetooth last week has sent vendors of all shapes and sizes scrambling to patch their products, including cell phones and computers.

The bug, found by researchers at the Israel Institute of Technology, affects the elliptic curve Diffie-Hellman key exchange mechanism employed by Bluetooth. “The authentication provided by the Bluetooth pairing protocols is insufficient,” they wrote.

The CERT advisory explains that an unauthenticated, remote attacker within range could use a “man-in-the-middle” network position to find out the cryptographic keys used by the device. “The attacker can then intercept and decrypt and/or forge and inject device messages,” it reads.

Writing in Ars Technica, Dan Goodin elaborates on the nefarious actions the bad guys could unleash: “Attackers can view any exchanged data, which might include contacts stored on a device, passwords typed on a keyboard, or sensitive information used by medical, point-of-sale, or automotive equipment. Attackers could also forge keystrokes on a Bluetooth keyboard to open up a command window or malicious website in an outright compromise of the connected phone or computer.”

The Bluetooth Special Interest Group (SIG) said the vulnerability impacts two features — Secure Simple Pairing and LE Secure Connections — if they’re implemented in a way that doesn’t require public key validation during the pairing procedure.

“To remedy the vulnerability, the Bluetooth SIG has now updated the Bluetooth specification to require products to validate any public key received as part of public key-based security procedures,” the group wrote. It added there’s no evidence the vulnerability has been maliciously exploited.

Vendors that have published advisories include: Intel,  Lenovo, Samsung, LG, Huawei, Dell, and Apple, which has bulletins for MacOS High Sierra 10.13.5 and 10.13.6, and for iOS.

More information:

• Bluetooth Vulnerability Still Being Patched
• “Severe” Bluetooth communication breach discovered
• Bluetooth security: Flaw could allow nearby attacker to grab your private data
• Bluetooth flaw allows man-in-the-middle attacks
• Bluetooth Bug Allows Man-in-the-Middle Attacks on Phones, Laptops

Maritime shipping company braving ransomware storm

A ransomware attack severely disrupted the Americas’ operations of Chinese maritime shipping company Cosco last week, the latest reminder of how crippling these breaches can be.

Among carriers of containerized goods, Cosco (China Ocean Shipping Co.) is the largest in China, and the fourth largest worldwide, according to the BBC.

The attack hit Cosco on Tuesday. It caused network failures in the U.S., Canada, Panama, Argentina, Brazil, Peru, Chile and Uruguay, impacting email and IP phone communications, the company said.

While it’s been recovering from the attack, the company was still cleaning up the mess on Monday, having to use temporary Yahoo email addresses to conduct certain business, and keeping its U.S. website offline.

Cosco hasn’t provided details on the attack.

More information:

• Shipping company’s networks in the Americas crippled by ransomware attack
• Long Beach Port terminal hit by ransomware attack
• Cosco Shipping targeted in ransomware attack
• Ransomware Infection Cripples Shipping Giant COSCO’s American Network

Russian hackers could have turned off the lights across U.S.

Last week, we also learned that state-sponsored Russian hackers gained access all the way to U.S. electric utilities’ control rooms, giving them the chance to trigger blackouts across the country. That’s according to comments made to The Wall Street Journal by officials from the U.S. Department of Homeland Security (DHS).

Using spear-phishing emails, the hackers first broke into the systems of third-party vendors that provide services to the utilities. Once there, they stole passwords to the utilities’ systems. This is a classic case of “vendor risk.”

The hacking campaign began in 2016 may still be going on.

More information:

• Russian Hack Into US Power Grid Began With Stolen Passwords
• Russian Hackers ‘Could Have Caused Electricity Blackouts’ in the U.S.
• U.S. officials say Russian hackers infiltrated electric utilities
• Russian Hackers Appear to Shift Focus to U.S. Power Grid

Troves of car makers’ confidential data exposed by careless supplier

In another case of vendor risk, a robotics supplier exposed 157 gigabytes of confidential data belonging to more than 100 auto industry suppliers and manufacturers, including Tesla, GM, Toyota, Ford and VW.

Level One Robotics, based in Canada, stored the data on a publicly accessible server that used the rsync file transfer protocol and that wasn’t restricted by IP or user, according to security vendor UpGuard, which made the discovery in early July.

The exposed data included “over 10 years of assembly line schematics, factory floor plans and layouts, robotic configurations and documentation, ID badge request forms, VPN access request forms, and ironically, non-disclosure agreements, detailing the sensitivity of the exposed information,” UpGuard wrote in a blog post.

Level One Robotics secured the server on July 10 after being alerted by UpGuard. It’s not clear how long the data was exposed, nor whether the information was accessed by any unauthorized parties.

Level One Robotics CEO Milan Gasko told Ford Authority the company is investigating “the nature, extent and ramifications of this alleged data exposure”,” but that he believes it’s “extremely unlikely” anyone outside the company viewed the data.

“The inadvertent exposure of customers’ data illustrates a problem confounding businesses: Some of their biggest security risks come from their suppliers and contractors,” The New York Times’ Stacy Cowley wrote. “Many of the worst recent data breaches began with a vendor’s mistake.”

Independent computer security analyst Graham Cluley also chimed in, describing the incident as a “classic supply-chain problem.”

“Millions is spent by large companies on securing their systems and data from hackers, but the risks posed by third-party suppliers is often overlooked,” he wrote. “Suppliers may have access to some of your company’s sensitive data, or even be able to log into your network with their own credentials.”

More information:

• Massive data breach exposes huge trove of automakers’ secrets
• Big auto makers’ trade secrets exposed in data leak traced to small Canadian company
• Robo-drop: Factory bot biz ‘leaks’ automakers’ secrets onto the web
• Tesla, VW data was left exposed by supply chain vendor Level One Robotics

In other security news:

• LifeLock, whose business centers on ID theft protection, exposed customers’ email addresses via an improperly configured marketing website.
• Google Chrome has started labeling websites that don’t use HTTPS as “not secure”.
• Fraudsters are stealing billions of dollars from businesses via email scams.